Skip to content
/ sane Public
forked from buffrr/letsdane

Implementation of stateless DANE for handshake DNS.

License

Apache-2.0 license
4 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

randomlogin/sane

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

137 Commits
.github
.github
 
 
cmd/sane
cmd/sane
 
 
prove
prove
 
 
proxy
proxy
 
 
resolver
resolver
 
 
sync
sync
 
 
tld
tld
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
cert.go
cert.go
 
 
cert_test.go
cert_test.go
 
 
dialer.go
dialer.go
 
 
dialer_test.go
dialer_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
tls.go
tls.go
 
 
tls_test.go
tls_test.go
 
 
tunnel.go
tunnel.go
 
 
tunnel_test.go
tunnel_test.go
 
 

Repository files navigation

Stateless DANE

This repository contains code for proof-of-concept client implementation of stateless DANE.
Server part can be found here: https://github.com/htools-org/stateless-dane.
Based on letsdane.

How it works

Similar to letsdane, it sets up a proxy server which listens for incoming connections, resolves the hostname, checks if the provided certificate is correct and then outputs a self-signed certificate (signed by local certificate authority which has to be added to the browser's trusted ones).

hnsd

Internally it uses hnsd to sync tree roots. The initial syncronization might take several minutes. Afterwards, using checkpoints, hnsd has to syncrhonize last ~2k roots which usually takes 5 seconds. After synchronization, hnsd is terminated.

Internal hnsd daemon has 5350 as a default port.

Install

Dependencies:

apt-get install libgetdns-dev

Actual build

git clone https://github.com/randomlogin/sane.git && cd sane/cmd/sane
go build

Next, in order to use SANE it's needed to have hnsd installed. One can provide the path to the hnsd executable either via flag -hnsd or via environment variable

export HNSD_PATH="~/hnsd/hnsd"

Default directory containing CA files and saved tree roots is ~/.sane/.

Usage

SANE will generate a certificate authority and store it in ~/.sane when you start it for the first time.
To start SANE using handshake DNS Over HTTPS resolver:

export HNSD_PATH="~/hnsd/hnsd"
./sane -r https://hnsdoh.com

An additional parameter can be added: the external server which provides both DNSSEC and urkel proof for the domain, which allows to browse websites without SANE-compliant certificates (of course this external service must be trusted).

./sane -r https://hnsdoh.com -external-service https://sdaneproofs.htools.work/proofs/

Additional arguments can be viewed by invoking help:

./sane --help

Urkel tree

SANE looks for an extension in the certificate which contains an urkel tree proof, verifies it, checks if the root is not older than a week.
Native golang implementation of urkel tree is used.

DNSSEC

Another extension from the certificate contains DNSSEC verifiation chain. Its verification is done locally using getdns, it does not call any resolvers.

Browser settings

  • Add SANE proxy to your web browser 127.0.0.1:8080 (Firefox example)
  • Import the certificate file into your browser certificate store (Firefox example).

Requirements

Go 1.21+ is required.
hnsd 2.99.0+ is required.

Example websites

Following websites provide examples of websites compliant with SANE (including wildcard certificates):

Debug

Default output log provides sufficient information about what is happening, though additional --verbose flag might help to locate the exact code locations where the logging comes from.

About

Implementation of stateless DANE for handshake DNS.

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity

Stars

4 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 8

v0.0.14 Latest
Jul 1, 2024
+ 7 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages

  • Go 97.1%
  • C 2.9%